Standards Landscape March 2018 Update

This update addresses International and US National medical device standards (“a view of the landscape”) being developed or revised that may be of interest to developers of software for medical devices or healthcare. Some of these standards are used directly for regulatory purposes and others may be valuable in demonstrating to regulatory authorities that a developer is using state of the art processes in the development of their products.

This table predicts how the standards being developed or revised will impact the development of health and medical device software. Early in the standard development this is an educated guess. As the standard gets closer to publication, the possible impacts become easier to see. Some standards apply to specific types of product, e.g. IEC 60601-1-10 is just for medical devices used in the home. The table shows the impact for the types of products that that are within the scope of the standard. For each standard, the table estimates:

  • When the standard will be published (Year)
  • Whether use of the standard will be expected (E) or discretionary (D) for health IT (HIT)
  • Whether use of the standard will be expected (E) or discretionary (D) for regulated medical devices (MD)
  • Whether development SOPs will likely need to be modified (SOPs)
  • Whether active projects will likely need to add requirements (Active)
  • Whether legacy products in the field will likely be impacted (Legacy)

Standards that will affect SOPs depends of course on how the SOPs are currently written. If it is possible that SOPs will need to change, a gap analysis should be performed to identify changes that are needed.  Many of the software engineering standards are process standards that provide guidance on good practices. If adopted, these standards may require changes to SOPs, but they are not used in regulation and do not cause changes to active or legacy products.

Legacy products can be impacted when the scope of the standard includes post-market processes or requirements. Legacy products in the EU can also be impacted because EU regulations require that products in the field meet the current state of the art applying to the requirements in the regulations. International standards are often seen as being the current state of the art, so changes to these standards may require changes to legacy products for them to continue to meet the requirements of the regulations.

StandardYearHITMDSOPsActiveLegacy
IMDRF Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices (revision of GHTF document)2018(D)(E)YesYesNo
ISO 14971 Medical devices — Application of risk management to medical devices (revision)2019(D)(E)YesYesYes
ISO TR 24971 Medical devices — Guidance on the application of ISO 14971 (revision)2019(D)(E)NoNoNo
IEC 60601-1 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance (revision)2019(D)(E)YesYesYes
IEC 60601-1-2 Medical electrical equipment – Part 1-2: Electromagnetic disturbances – Requirements and tests (revision)2019(D)(E)YesYesYes
IEC 60601-1-6 Medical electrical equipment – Part 1-6: Usability (revision)2019(D)(E)YesYesYes
IEC 60601-1-8 Medical electrical equipment – Part 1-8: General requirements, tests, and guidance for alarm systems in medical electrical equipment and medical electrical systems (revision)2019(D)(E)YesYesYes
IEC 60601-1-10 Medical electrical equipment – Part 1-10: Requirements for the development of physiologic closed-loop controllers (revision)2019(D)(E)YesYesYes
IEC 60601-1-11 Medical electrical equipment – Part 1-11: Requirements for medical electrical equipment and medical electrical systems used in the home healthcare environment (revision)2019(D)(E)YesYesYes
IEC 62366-1Medical devices – Part 1: Application of usability engineering to medical devices (revision)2019(D)(E)YesYesYes
IEC 63120 Environmental conscious design of medical electrical equipment – Particular requirements for refurbishment of medical electrical equipment and systems, for re-use of parts, for a management of critical or hazardous substances contained in medical electrical equipment and systems and for a closed loop Business-to-Business take back system (new)2020(D)(E)YesYesYes
IEC 62304 ED 2 Health software – Software life cycle processes (revision)2019(D)(E)YesYesYes
AAMI SW 96 Application of security risk management for medical devices (new)2019(D)(E)YesYesYes
AAMI TIR 97 Principles for medical device security – Post-market security management for device manufacturers (new)2019(D)(D)YesYesYes
NIST cybersecurity framework update (revision)2018(D)(D)NoNoNo
ISO 11633-1 Health informatics — Information security management for remote maintenance of medical devices and medical information systems — Part 1: Requirements and risk analysis 

2019

 

(D)

 

(D)

 

Yes

 

Yes

 

Yes

ISO 21332 Health informatics — Cloud computing considerations for health information systems security and privacy (new)2020(D)(D)NoNoNo
ISO 22696 Health informatics — Guidance for identification and authentication for connectable personal healthcare devices2021(D)(D)NoYesYes
ISO 22697 Health informatics — Application of privacy management to personal health information2021(D)(D)YesYesYes
IEC 80001-1 ED2 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software – Part 1: Application of risk management (revision)2019(D)(D)NoNoNo
IEC 81001-1 Health software and health IT systems safety, effectiveness and security – Foundational principles, concepts, and terms (new)2019(E)(D)NoNoNo
AAMI TIR 75 Factors to consider when multi-vendor devices interact via an electronic interface; Practical applications and examples (new)2018(D)(D)NoNoNo
AAMI1000-1 Health IT Software and Systems – Part 1: Fundamental concepts and principles (new)2018(E)NANoNoNo
AAMI1000-2 Health IT software and systems — Part 2: Application of quality systems principles and practices (new)2018(E)NANoNoNo
AAMI1000-3 Health IT software and systems — Part 3: Application of risk management (new)2018(E)NANoNoNo
AAMI1000-4 Health IT software and systems — Part 4: Application of human factors engineering (new)2018(E)NANoNoNo

Background and standards in process

In 2018 regulations and standards will continue to evolve to address rapidly changing technology. A little more certainty about how borderline cases will be treated can be expected. Questions remain as to what standards will be harmonized under the MDR and IVDR, or what areas will have new EU specifications created. Cybersecurity continues to grow in importance and new regulations and standards are being suggested.

It is important to be aware of how the standards that are used in medical device and Health IT regulations are changing and what new standards are being developed. This report addresses some of the most useful standards being developed or being revised for general medical devices, Health IT software and Health IT systems including mobile apps in healthcare, cybersecurity in healthcare, and system and software engineering standards that may be useful in developing software for medical devices and health IT. A SoftwareCPR Standards Navigator subscription provides monthly updates on status of the changing standards as well as an opportunity to provide input on content as they are developed.

General Medical Device Standards

 

IMDRF Essential Principles of Safety and Performance of Medical Devices and IVD Medical Devices

This document applies to all medical devices and IVD medical devices, and is intended to identify and describe essential principles of safety and performance which need to be considered during the design and manufacturing process. This document has been developed to encourage and support global convergence of regulatory systems. The purpose of this guidance is to harmonize the documentation and procedures that are used to assess whether a medical device conforms to the regulations that apply in each regulatory jurisdiction.

Risk management

ISO 14971 Medical devices — Application of risk management to medical devices

ISO 14971 was last updated in 2007. A proposal to revise ISO 14971 was approved late in 2016. This work began in 2017 and is expected to complete in 2019. A first draft of the new edition was completed in late 2017. Changes to the standard are to be limited to specific areas such as:

  • clarify the normative requirements, particularly concerning the following topics:
  • production and post-production information,
  • clinical benefits and risk-benefit analysis,
  • move guidance in the informative annexes to ISO/TR 24971, Medical devices –Guidance on the application of ISO 14971,
  • keep the annex with the rationale in ISO 14971, Medical devices — Application of risk management to medical devices,

In addition, the JWG was instructed to consider the following items in the revision of ISO 14971:

  • include references to ISO/TR 24971 and IEC/TR 80002-1, Medical device software –Part 1: Guidance on the application of ISO 14971 to medical device software;
  • Clarify the relationship with 62366-1, Medical devices — Part 1: Application of usability engineering to medical devices,
  • Consider to harmonize the vocabulary with ISO 31000, Risk management – Principles and guidelines , where appropriate,
  • Address data privacy and security.

ISO/TR 24971 Medical devices — Guidance on the application of ISO 14971

ISO/TR 24971 was last updated in 2013. A proposal to revise ISO/TR 24971 together with the revision to ISO 14971 was approved late in 2016. This work began in 2017 and is expected to complete in 2019. A first draft of the new edition was completed in late 2017. Changes to the guidance are to be limited to specific areas such as:

  • merge and update guidance from informative annexes of ISO 14971
  • with no change in scope

IEC 60601-1 series

Amendment 1 of the 3rd edition of IEC 60601-1 was published in 2012. A proposal to develop a second amendment was approved in late 2016. This work began in 2017 and is expected to complete in December 2019. The amendment will be limited to 132 specific issues identified as needing resolution before a 4th edition of IEC 60601-1 is developed. While the amendment is being developed, the IEC Technical Committee responsible for IEC 60601-1 will be making plans for the work on a 4th edition. That project is expected to begin in 2020.

Amendments to five of the IEC 60601 collateral standards were also started in 2017. Publication is planned for the same time as 60601-1. As with 60601-1 the amendments will be limited to specific issues that have been identified as needing speedy resolution.

Drafts of the new amendments were completed in 2017 with committee drafts for vote (last chance to make technical comments) by September 2018 and final drafts by June 2019.

Standards that are being amended:

IEC 60601-1/AMD2 ED3 Medical electrical equipment – Part 1: General requirements for basic safety and essential performance

IEC 60601-1-2 Medical electrical equipment – Part 1-2: Electromagnetic disturbances – Requirements and tests

IEC 60601-1-6 Medical electrical equipment – Part 1-6: Usability

IEC 60601-1-8 Medical electrical equipment – Part 1-8: General requirements, tests, and guidance for alarm systems in medical electrical equipment and medical electrical systems

IEC 60601-1-10 Medical electrical equipment – Part 1-10: Requirements for the development of physiologic closed-loop controllers

IEC 60601-1-11 Medical electrical equipment – Part 1-11: Requirements for medical electrical equipment and medical electrical systems used in the home healthcare environment

IEC 62366-1 Medical devices – Part 1: Application of usability engineering to medical devices

In discussion with experts attempting to apply IEC 62366-1:2015 to real world products, a number of important technical issues have been reported. This proposed amendment attempts to address these issues.

This standard is being amended.

IEC 63120 Environmental conscious design of medical electrical equipment – Particular requirements for refurbishment of medical electrical equipment and systems, for re-use of parts, for a management of critical or hazardous substances contained in medical electrical equipment and systems and for a closed loop Business-to-Business take back system

This is a new standard.

Medical Device and health software

IEC 62304 ED2: Health software – Software life cycle processes

The most important standard being used for medical device software is IEC 62304. The current version was developed for medical device software and published in 2005. It was amended in 2015. A second edition is currently under development that would expand the scope to health software, where health software is a software product that may not be regulated as a medical device in some countries (but may be regulated in other countries). Publication of the new edition is expected in late 2018 or early 2019.

This is a new edition which will eventually replace the first edition.

Connected Medical Devices and Health IT

There are currently no interoperability standards being used for regulatory purposes, but the increasing importance of interoperability and data analytics along with the problems arising from cybersecurity threats makes this an area to watch. Here are some standards being revised or developed that deal with development, implementation and use of connected devices and health IT.

IEC 80001-1 ED2 Safety, effectiveness and security in the implementation and use of connected medical devices or connected health software – Part 1: Application of risk management

IEC 80001-1 is being revised with a scope change to include health software as well as medical devices and with the intent of making it easier to use for healthcare delivery organizations. Publication is expected about the beginning of 2020.

This is a new edition which will replace the previous edition.

ISO 81001-1 Health software and health IT systems safety, effectiveness and security – Foundational principles, concepts, and terms

This new standard will articulate the foundational principles, concepts, and terms for health software and health IT system safety across the full lifecycle, from concept to disposal, taking into account the evolving complex internal and external context, including people, technology (hardware/software), organization, process, and external environment. Publication is planned for 2020.

This is a new standard.

AAMI TIR75 Factors to consider when multi-vendor devices interact via an electronic interface; Practical applications and examples

This new guidance document is in development. It is intended to help medical device manufacturers think about and evaluate risks associated with interoperability in medical devices. It is expected to be used together with standards to give guidance to manufacturers in how to comply with the intention of emerging standards.

This is a new standard.

AAMI HIT1000

AAMI is developing a new series of standards that are targeted to Health IT developers, implementers and users. These standards will be US National Standards and are intended for products that are not regulated by FDA but can impact patient safety. There are currently four standards planned in the series. The standards are expected to be published as preliminary US standards in 2018.

AAMI HIT1000-1, Health IT Software and Systems – Part 1: Fundamental concepts and principles

This standard identifies the fundamental concepts and principles needed to maintain safe, secure and effective HIT software and systems and identifies the roles, and defines the responsibilities, activities and best practices that are necessary for managing safety, security and effectiveness of HIT software and systems within their sociotechnical use context. This standard applies throughout the life cycle of HIT software and systems. It defines the points in the life cycle where different roles assume primary responsibility for maintaining safety, security and effectiveness, and identifies the communication necessary between the different roles at those points.

HIT1000-2, Health IT software and systems — Part 2: Application of quality systems principles and practices

This standard defines responsibilities of organization with respect to quality management systems based on the role that organization plays at specific steps in the health IT life cycle and the elements of that system that must be communicated to partner organizations.

HIT1000-3, Health IT software and systems — Part 3: Application of risk management

This standard specifies a process to identify the patient safety hazards associated with health IT (HIT) software and HIT systems, to estimate and evaluate the associated risks, to control these risks, and to monitor the effectiveness of the controls. It identifies the roles, and defines the responsibilities; activities and best practices that are necessary for managing risks to patients posed by HIT software and HIT systems. It applies throughout the life cycle of HIT software and HIT systems and defines the points where different roles assume primary responsibility for risk management. It identifies the communication necessary between the different roles at those points.

HIT1000-4, Health IT software and systems — Part 4: Application of human factors engineering

This standard is intended to help Health IT developers plan and implement a user-centered design process that results in safe, effective, and usable applications.

This is a new multi-part standard. All parts will not be completed at the same time.

Cybersecurity

Cybersecurity has become a very hot topic for healthcare and medical devices. Regulators are looking at new requirements in several countries. There are existing standards and guidance such as ISO 27799 Health informatics — Information security management in health using ISO/IEC 27002, IEC 80001-2-2 Application of risk management for IT-networks incorporating medical devices — Part 2-2: Guidance for the communication of medical device security needs, risks and controls, and AAMI TIR57: Principles for medical device security—Risk management. Several new standards and guidance documents were started in 2017. It seems very likely that additional new standards will be started in 2018. Some of these standards will cause changes in active and legacy products. The following documents are under development.

NIST Cybersecurity Framework Version 1.1

This is an update to the earlier NIST Cybersecurity Framework released in 2015.

AAMI SW96 Application of security risk management for medical devices

This document is in very early stages, only an outline has been created thus far. The guidance is expected to be completed in 2019.

This is a new standard.

AAMI TIR 97 Principles for medical device security – Post-market security management for device manufacturers

This document is in very early stages, only an outline has been created thus far. The guidance is expected to be completed in 2019.

This is a new standard.

ISO 11633-1 Health informatics — Information security management for remote maintenance of medical devices and medical information systems — Part 1: Requirements and risk analysis

This document focuses on remote maintenance services (RMS) for information systems in healthcare facilities (HCFs) as provided by vendors of medical devices or health information systems. And this document shows practical examples of risk analysis in order to protect both sides’ information assets (primarily the information system itself and personal health data) in a safe and efficient (i.e. economical) manner.

This document consists of the following items:

  • Security requirements for remote maintenance services
  • An overview of use cases for RMS
  • An overview of information assets in HCFs and RMS providers
  • Risk analysis for RMS

This is a revised standard.

ISO 21332 Health informatics — Cloud computing considerations for health information systems security and privacy

This is a new guidance document being developed. This Technical Report presents an overview of health specific security and privacy requirements for a cloud computing environment.

This is a new standard.

ISO 21332 Health informatics — Cloud computing considerations for health information systems security and privacy (new)

This Technical Report presents an overview of health specific security and privacy requirements for a cloud computing environment.

This is a new standard.

ISO 22696 Health informatics — Guidance for identification and authentication for connectable personal healthcare devices

This document specifies guidance for identification and authentication for connectable personal healthcare devices.

This is a new standard.

ISO 22697 Health informatics — Application of privacy management to personal health information

This document specifies requirements for the application of privacy management to personal health information.

This is a new standard.

System and Software Engineering Standards

These are general system and software standards that are being developed or revised. They are not currently required in any regulatory systems but may be useful for manufacturers developing software used in healthcare and medical devices to demonstrate that they use “state of the art” practices. They are ordered by the year that they are expected to be published.

SoftwareCPR Training Courses:

IEC 62304 and other emerging standards for Medical Device and HealthIT Software

Our flagship course for preparing regulatory, quality, engineering, operations, and others for the activities and documentation expected for IEC 62304 conformance and for FDA expectations. The goal is to educate on the intent and purpose so that the participants are able to make informed decisions in the future.  Focus is not simply what the standard says, but what is meant and discuss examples and approaches one might implement to comply.  Special deep discount pricing available to FDA attendees and other regulators.

3-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Brian Pate

Next public offering:  TBD

Email training@softwarecpr.com to request a special pre-registration discount.  Limited number of pre-registration coupons.

Registration Link:

TBD

 


 

Being Agile & Yet Compliant (Public or Private)

Our SoftwareCPR unique approach to incorporating agile and lean engineering to your medical device software process training course is now open for scheduling!

  • Agile principles that align well with medical
  • Backlog management
  • Agile risk management
  • Incremental and iterative software development lifecycle management
  •  Frequent release management
  • And more!

2-days onsite (4 days virtual) with group exercises, quizzes, examples, Q&A.

Instructors: Mike Russell, Ron Baerg

Next public offering: March 7 & 28, 2024

Virtual via Zoom

Registration Link:

Register Now

 


 

Medical Device Cybersecurity (Public or Private)

This course takes a deep dive into the US FDA expectations for cybersecurity activities in the product development process with central focus on the cybersecurity risk analysis process. Overall approach will be tied to relevant standards and FDA guidance documentation. The course will follow the ISO 14971:2019 framework for overall structure but utilize IEC 62304, IEC 81001-5-1, and AAMI TIR57 for specific details regarding cybersecurity planning, risk characterization, threat modeling, and control strategies.

2-days onsite with group exercises, quizzes, examples, Q&A.

Instructor: Dr Peter Rech, 2nd instructor (optional)

Next public offering:  TBD

Corporate Office

15148 Springview St.
Tampa, FL 33624
USA
+1-781-721-2921
Partners located in the US (CA, FL, MA, MN, TX) and Canada.